Critical Remote Code Execution in Palo Alto Networks PAN‑OS (CVE‑2026‑0300) Added to CISA KEV Catalog
What It Is – A high‑severity buffer‑overflow (CVSS 9.3) in the User‑ID Authentication Portal of Palo Alto Networks PAN‑OS allows an unauthenticated attacker to execute arbitrary code with root privileges on PA‑Series and VM‑Series firewalls.
Exploitability – The vulnerability is confirmed to be actively exploited in the wild; a proof‑of‑concept has been published by Palo Alto Networks and the U.S. CISA has listed it in its Known Exploited Vulnerabilities (KEV) catalog.
Affected Products – PAN‑OS versions 12.1, 11.2, 11.1, 10.2 prior to the respective hot‑fix releases; PA‑Series and VM‑Series hardware firewalls. Cloud NGFW, Prisma Access, Panorama appliances are not affected.
TPRM Impact – Any organization that relies on Palo Alto firewalls as a security control for its own customers or partners inherits the risk of remote code execution, potentially exposing downstream data and services. The flaw also creates a supply‑chain attack surface for managed‑service providers (MSPs) that host customer firewalls.
Recommended Actions –
- Immediately restrict access to the User‑ID Authentication Portal to trusted internal IP ranges.
- Apply the pending hot‑fixes as soon as they become available (expected May 13 2026).
- Enable network‑level filtering to block unauthenticated traffic to the portal from the internet.
- Monitor logs for anomalous traffic to the portal and for signs of exploitation.
- Validate third‑party firewall configurations for any of your vendors or MSPs that use PAN‑OS.
Source: Security Affairs